Details:
MIT krb5-appl has been reported to contain a vulnerability that could be leveraged by a remote attacker to execute arbitrary code on the targeted system. The vulnerability has been reported in the code responsible for handling Kerberos based authentication mechanism.

The vulnerability was introduced when BSD telnet daemon and client utilities included support for cryptographic security via MIT Kerberos based authentication mechanism. This code was further included within FreeBSD and GNU inetutils making these vulnerable as well.

The vulnerability allows a pre-authentication memory corruption error that could be triggered remotely by submitting an arbitrarily long encryption key to the target system. Specifically, the vulnerability exists within the encrypt_keyid() function of the encrypt.c source file of the affected software:

The vulnerable source file defines the following structure to keep record of the encryption state:

#define MAXKEYLEN 64

static struct key_info {

unsigned char keyid[MAXKEYLEN];

int keylen;

int dir;

int *modep;

Encryptions *(*getcrypt)();

} ki[2] = {

{ { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },

{ { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },

};

However, the vulnerable function fails to impose sufficient boundary restrictions on user-supplied encryption keys and copies those into keyinfo structure without honoring the MAXKEYLEN constant via a memcpy operation. This could cause a heap-based buffer overflow error, leading to the memory corruption error.

Successful exploitation could allow the attacker to leverage the memory corruption error to execute arbitrary code on the targeted system with the privileges of the affected software. Failed exploit attempts could result in a denial of service condition on the targeted system.

Details:
VLC Media Player has been reported to contain a vulnerability that could allow a remote attacker to execute arbitrary code on the targeted system. The vulnerability is introduced by the libty_plugin that helps parsing of .ty files.

struct demux_sys_t

{

...

ty_rec_hdr_t *rec_hdrs; /* record headers array */

int i_cur_rec; /* current record in this chunk */

int i_num_recs; /* number of recs in this chunk */

...

};

The vulnerability exists due to an implementation flaw within the get_chunk_header() function of the ty.c source file of the vulnerable plugin. The vulnerable plugin improperly handles the record headers array, rec_hdrs, corrupting heap structures in the memory.

diff --git a/modules/demux/ty.c b/modules/demux/ty.c

index e916b41..b181a6a 100644 (file)

--- a/modules/demux/ty.c

+++ b/modules/demux/ty.c

@@ -1887,6 +1887,7 @@ static int get_chunk_header(demux_t *p_demux)

/*msg_Dbg( p_demux, "chunk has %d records", i_num_recs );*/

free(p_sys->rec_hdrs);

+ p_sys->rec_hdrs = NULL;

/* skip past the 4 bytes we "peeked" earlier */

stream_Read( p_demux->s, NULL, 4 );

Successful exploitation could allow the attacker to leverage the memory corruption error further and execute arbitrary code on the targeted system within the security context of the affected software.